IETF Logo Mail Archive

Re: [netconf] Paul Wouters' Discuss on draft-ietf-netconf-crypto-types-29: (with DISCUSS and COMMENT)

Kent Watsen <kent+ietf@watsen.net> Mon, 12 February 2024 19:45 UTC

Return-Path: <0100018d9eda2bba-34bbb7e9-9d31-4651-a098-a3b62abe5d76-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB366C15109A; Mon, 12 Feb 2024 11:45:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W-mvRy_b3P4c; Mon, 12 Feb 2024 11:45:16 -0800 (PST)
Received: from a48-94.smtp-out.amazonses.com (a48-94.smtp-out.amazonses.com [54.240.48.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F094DC14F6B5; Mon, 12 Feb 2024 11:45:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1707767114; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=fkoosxWQcX7dnZyHDxYuhWFVtsb/rwDEMLSo2M7xVEA=; b=b7zCLy9sLgrC5iEFL4sW6GWuo3+4L2CZkm17UsvvyqoKkq8TrJ2NC/EttRohaxCV cOvzjN0BxFEdQudjHqsALvrIfAKs204xi895pAAroUC5+S/Z5oITgxoPFtz1X12yU8+ kdQsJa+adgDo7H3/2IN9gpzYBHG0DQMYm0T+hhrc=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100018d9eda2bba-34bbb7e9-9d31-4651-a098-a3b62abe5d76-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1FADD13E-7DBE-458C-A33E-5823AED308A0"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
Date: Mon, 12 Feb 2024 19:45:14 +0000
In-Reply-To: <7F7D8261-D97E-4FBE-BE0C-6BC0953FC1FD@aiven.io>
Cc: The IESG <iesg@ietf.org>, draft-ietf-netconf-crypto-types@ietf.org, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
To: Paul Wouters <paul.wouters@aiven.io>
References: <0100018d8e79728d-53c71957-dd1f-4113-ab63-e1b028486824-000000@email.amazonses.com> <7F7D8261-D97E-4FBE-BE0C-6BC0953FC1FD@aiven.io>
X-Mailer: Apple Mail (2.3731.600.7)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2024.02.12-54.240.48.94
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/-MAqDGoUBYHeoIG_jI1EqigQm-4>
Subject: Re: [netconf] Paul Wouters' Discuss on draft-ietf-netconf-crypto-types-29: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Feb 2024 19:45:17 -0000

Hi Paul,

> On Feb 11, 2024, at 9:37 PM, Paul Wouters <paul.wouters@aiven.io> wrote:
> 
> I have no good advice to give on strictness of CRLs and OCSP. Obviously a per connection setting would be better than a global setting but that might not be easy. Eg libreswan has it as global option partially because it keeps a global store of received certificates.
> 

Granular is better.

I’m thinking to add the following to the `trust-anchor-cert-grouping` and `end-entity-cert-grouping` groupings:

    leaf disable-stict-enforcement {
        nacm:default-deny-all;
        type boolean;
        default false;
        description
          "Disables strict enforcement of this certificate.
           Ignore issues regarding, e.g., the certificate's
           validity period or CRL/OCSP validity.  

           This flag should only be set in an emergency
           to enable a service to work.  Setting this flag
           Is NOT RECOMMENDED.”;


Is this what you want?




> Paul


Kent

v2.23.0 | Report a Bug | By Email